Today the DHS ICS-CERT published alerts for two different
Advantech products; EKI-6340 and AdamView. Adam Greenberg at SCMagazine.com
reports that there is the same researchers also reported a vulnerability in
WebView.
EKI-6340 Alert
This alert addresses
a command injection vulnerability that was discovered by Facundo Pantaleo and
Flavio Cangini of Core Security Engineering Team. The disclosure was
coordinated thru ICS-CERT but when Advantech announced that they would not be
fixing the vulnerability since the product would be discontinued next year,
Core Security published
the vulnerability on their web site.
The Core Security notice also includes suggested fixes for
the vulnerability. Too bad Core Security can’t charge for Advantech’s laziness
(considering the ease of the fix that could have been announced by Advantech).
AdamView Alert
This alert addresses
a buffer overflow vulnerability that was discovered by Daniel Kazimirow and
Fernando Paez from Core Security Engineering Team. The disclosure was
coordinated thru ICS-CERT but Advantech has not supported this product “for a
while” and will not fix the vulnerability. Unfortunately, outdated products do
not usually get fixed.
Core
Security notes that since this is a client-side vulnerability there are
only limited fixes that can applied to mitigate this vulnerability.
WebView Vulnerability
The Core Security Team also
reported a stack-based buffer overflow vulnerability in the Advantech
WebView application. I suspect that ICS-CERT has not issued an advisory on this
vulnerability since they may be working to get Advantech to fix the fix found
in version 8.0 that Core Security says does not correct the vulnerability when
applied to existing systems.
It seems that the vulnerable file "webeye.ocx" (version
1.0.1.35) is not in the newest version, but when a system with an earlier
version is upgraded the existing webeye.ocx is not removed from the system, so
the vulnerability remains.
Not So Coordinated
Disclosure
Now I fully understand (and support) the Core Security Team
publication of the first two vulnerabilities since the vendor told ICS-CERT
that they would not be issuing a fix. That makes the vulnerability fair game
for publication in my opinion, especially when Core Security stepped up and
suggested mitigation measures.
The question on the third is a tad bit more vague. Core
Security reports that they notified ICS-
CERT on October 1st about the vulnerability (actually all three vulnerabilities) and then advised ICS-CERT that the fix Advantech reported did not actual fix existing system vulnerabilities on October 21st. Their advisory reports that ICS-CERT notified them about why it did not work on October 27th, but do not indicate that Advantech refused to revise the fix.
CERT on October 1st about the vulnerability (actually all three vulnerabilities) and then advised ICS-CERT that the fix Advantech reported did not actual fix existing system vulnerabilities on October 21st. Their advisory reports that ICS-CERT notified them about why it did not work on October 27th, but do not indicate that Advantech refused to revise the fix.
I would hope that ICS-CERT was working with Advantech to get
them to revise the Version 8.0 fix so that it did remove and/or modify the
exiting file. Lacking a specific notice that Advantech refused to fix the fix I
think that a responsible researcher (in my definition) would give ICS-CERT a
little more than just 23 days to get a recalcitrant vendor to see the error of
their ways. But, that is just my opinion.
No comments:
Post a Comment